Module 10: Monitoring and communication Flashcards

1
Q

Key information in the documentation as part of the risk management process (5)

A
  • risks and their assessment and risk responses in a risk register
  • risk management decisions made and the reasons for those decisions
  • systems
  • financial models, including the assumptions and data employed
  • management failures, including nature of failure and losses incurred
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

General considerations in communication as part of the risk management process (3)

A
  • clarity and relevance
  • timeliness vs volume and detail
  • reliability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Communication can be (2)

A
  • formal or informal

- external or internal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk metrics

A

Measures / indicators of where a company is operating relative to its risk appetite and limits.

Metrics:

  • can be quantitative or qualitative
  • should be designed to indicate a change in risk profile
  • provide an early warning of a likely breach of a risk limit so that pre-emptive actions can be taken.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Risk Indicators (KRIs)

A

Where risk metrics form a key part of an organisation’s risk management framework, they are typically referred to as Key Risk Indicators (KRIs).

A good KRI is one that is useful in (strategic) decision making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

8 Desirable properties of risk reports

A

Risk reports should:

  • be clear, relevant, timely and reliable
  • be a role-based summary with the ability to drill down to more detail
  • link clearly to decisions that the organisation needs to make
  • provide a single point of access to data collected from different sources
  • consist of a mixture of qualitative and quantitative data (eg KRIs)
  • contain tabular or graphical formats to aid understanding
  • use a traffic light system to highlight priority areas
  • provide an opportunity for users to provide comment / analysis.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Outline 4 key processes and systems that should be properly documented

A

Processes and systems which should be properly documented include:

  1. risk management decisions made and the reasons for those decisions
  2. systems (eg systems specification and user-acceptance testing of IT systems)
  3. financial models, including the assumptions and data employed in the model.
  4. risk management failures, including the nature of failure and losses incurred.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the desirable features of information used for monitoring and/or reporting purposes

A

Information needs to be:

  • delivered to the users in a timely manner
  • reliable (ie free from error)

There is also a trade-off between collecting too much information, so that processing it cannot be usefully digested, and too little, so that it is uninformative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe 5 types of communication

A

Communication can be:

  1. INTERNAL (management information)
    information about what is happening inside the business, eg cashflow position, sales, inventory levels
  2. EXTERNAL (inwards)
    collecting relevant information about what is happening outside the company, eg competitors’ sales
  3. EXTERNAL (outwards)
    distributing information about the company to interested parties, eg media, shareholders and regulators
  4. INFORMAL
    by word-of-mount (or the technological equivalents, such as social media)
  5. FORMAL
    through a corporate intranet, management information systems, reports and/or corporate newsletters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe a tool that is essential to avoiding problems such as duplications or omissions in internal risk communications

A

Having a consistent “risk language” (taxonomy) is key to avoiding problems such as duplication or omission of risks.
This common risk language should serve to increase the speed with which ERM becomes embedded in an organisation, and is particularly important for multi-national companies, where the use of different terminology in different domains can confound the ERM process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Outline how managers might use a KRI

A

Managers may use Key Risk Indicators (KRIs) to identify when risk limits are close to being exceeded (or actually have been exceeded).
They prompt actions designed to keep the organisation within its risk tolerances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the factors an organisation should consider when deciding what KRIs should be used

A

In order to decide what KRIs should be used, an organisation will consider:

  • its policies and regulations (eg regulatory limits)
  • its strategies and objectives (eg volatility of results)
  • past losses and incidents (to help judge what is significant)
  • stakeholder requirements (eg variables monitored by credit rating agencies)
  • its risk assessments (some areas may require closer scrutiny than others)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

List desirable features of a KRI

A
  • should be quantifiable
  • based on consistent methodologies and standards
  • incorporates key risk drivers (exposure, probability, severity and correlation)
  • quantifiable
  • tracked over time
  • tied to objectives
  • linked to an accountable individual
  • useful in decision making
  • able to be benchmarked externally
  • timely
  • cost effective to measure
  • simple (not simplistic)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

State what is meant by a feedback loop, and outline the key purpose in incorporating feedback loops into the ERM framework and associated processes

A

A feedback loop is a process by which management and other stakeholders are informed of any significant issues or changes in the business and/or the environment.

Information about changes may come from sources that provide information about past events, the present or expectations for the future.

Incorporating feedback loops is one way in which an organisation can ensure that its ERM framework is able to identify and respond appropriately to such changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Outline the key components of a risk report to a Board

A

A risk report to a Board should include:

  • both qualitative and quantitative information
  • a summary of losses and incidents
  • a summary of business risks and the key discussions and decisions required from the Board
  • a narrative from management on important data and trends
  • key performance indicators (KPIs) against key risk indicators (KRIs) with important deviations and trends highlighted
  • important events / milestones - eg a regulatory visit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe how a management reporting system might be best designed, including the desirable features of such a system

A

Reporting is designed using a top-down approach, ie given a particular audience, consider what information they need to make the decisions they are responsible for making.
Once this information is identified and sourced, it needs to be presented in a way that is easily understood.

Increasingly, in many organisations, traditional, historically-focused, silo-based, data-driven, manually-prepared, paper-based, static reports are being replaced by forward-looking, dynamic, integrated, decision-driven, online reporting systems.

17
Q

Balanced scorecard / Dashboard reporting

A

Integrates business and financial reporting. In addition to KPIs in each area, risk assessment in the form of KRIs is usually incorporated into the scorecard.

A balanced scorecard usually assesses four main areas:

  1. finance
  2. stakeholders
  3. growth and learning
  4. internal business processes
18
Q

Outline an “ERM scorecard” and how it might be used to assess an ERM function

A

An ERM scorecard could consider:

  • the cost of risk (ie losses and mitigation / management costs) - has it been minimised?
  • regulatory / policy violations - no surprises?
  • performance-based feedback loops - eg risk assessments (ex-ante) versus actual losses / events (ex-post)
  • ERM development milestones - have they been met?
19
Q

Lam describes a good reporting system as one that provides (5)

A
  • a single point of access to critical risk information collated from various risk systems and data sources
  • a role-based summary of risks to key decision makers with drill-down capabilities to more detailed information
  • prioritised just-in-time information (eg from real-time alerts to quarterly summaries)
  • a mixture of qualitative / quantitative, internal / external data
  • an opportunity for users to provide commentary, explanation or analysis of the information
20
Q

Some reporting systems make mistakes such as (4)

A
  • simply collating data from silos
  • overwhelming users with too much information
  • providing too much qualitative data that does not aid decision making
  • focusing on quantity, rather on quality of information